A recently identified vulnerability in the WordPress core, designated with CVE IDs, enables unauthenticated attackers to execute arbitrary code through simple HTTP requests. This flaw affects all installations of WordPress version 6.9 and 7.0, even those without any plugins, making it a significant risk for numerous websites. The existence of a public proof-of-concept, along with the discovery of a persistent-object-cache condition, amplifies the urgency for site administrators to address this vulnerability promptly.
For businesses operating WordPress sites, the implications are severe. Organizations must ensure that their installations are updated to the latest version as soon as possible to mitigate the risk of exploitation. This incident highlights the importance of regular software updates and security audits in maintaining the integrity of web applications. Additionally, it serves as a stark reminder of the evolving landscape of cybersecurity threats, where even core components of widely-used platforms like WordPress can be susceptible to severe vulnerabilities, necessitating ongoing vigilance and proactive security measures.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html)*